Update accessPackageAssignmentPolicy

Namespace: microsoft.graph

Update an existing accessPackageAssignmentPolicy object to change one or more of its properties, such as the display name or description.


One of the following permissions is required to call this API. To learn more, including how to choose permissions, see Permissions.

Permission type Permissions (from least to most privileged)
Delegated (work or school account) EntitlementManagement.ReadWrite.All
Delegated (personal Microsoft account) Not supported.
Application EntitlementManagement.ReadWrite.All

HTTP request

PUT /identityGovernance/entitlementManagement/assignmentPolicies/{accessPackageAssignmentPolicyId}

Request headers

Name Description
Authorization Bearer {token}. Required.
Content-Type application/json. Required.

Request body

In the request body, supply only the values for properties that should be updated. Existing properties that are not included in the request body will maintain their previous values or be recalculated based on changes to other property values.

The following table specifies the properties that can be updated.

Property Type Description
displayName String The display name of the policy.
description String The description of the policy.
allowedTargetScope allowedTargetScope Who is allowed to request the access package through this policy. The possible values are: notSpecified, specificDirectoryUsers, specificConnectedOrganizationUsers, specificDirectoryServicePrincipals, allMemberUsers, allDirectoryUsers, allDirectoryServicePrincipals, allConfiguredConnectedOrganizationUsers, allExternalUsers, unknownFutureValue.
automaticRequestSettings accessPackageAutomaticRequestSettings This property is only present for an auto assignment policy; if absent, this is a request-based policy.
specificAllowedTargets subjectSet collection The principals that can be assigned access from an access package through this policy.
expiration expirationPattern The expiration date for assignments created in this policy.
requestorSettings accessPackageAssignmentRequestorSettings Provides additional settings to select who can create a request for an access package assignment through this policy, and what they can include in their request.
requestApprovalSettings accessPackageAssignmentApprovalSettings Specifies the settings for approval of requests for an access package assignment through this policy. For example, if approval is required for new requests.
reviewSettings accessPackageReviewSettings Settings for access reviews of assignments through this policy.


If successful, this method returns a 200 OK response code and an updated accessPackageAssignmentPolicy object in the response body.



PUT https://graph.microsoft.com/v1.0/identityGovernance/entitlementManagement/assignmentPolicies/87e1c7f7-c7f7-87e1-f7c7-e187f7c7e187
Content-Type: application/json

  "displayName": "All Users",
  "description": "All users can request for access to the directory.",
  "allowedTargetScope": "allDirectoryUsers",
  "automaticRequestSettings": null,
  "specificAllowedTargets": [],
  "expiration": {
      "type": "noExpiration"
  "requestorSettings": {
      "enableTargetsToSelfAddAccess": true,
      "enableTargetsToSelfUpdateAccess": false,
      "enableTargetsToSelfRemoveAccess": true,
      "allowCustomAssignmentSchedule": false,
      "enableOnBehalfRequestorsToAddAccess": false,
      "enableOnBehalfRequestorsToUpdateAccess": false,
      "enableOnBehalfRequestorsToRemoveAccess": false,
      "onBehalfRequestors": []
  "requestApprovalSettings": {
      "isApprovalRequiredForAdd": true,
      "isApprovalRequiredForUpdate": false,
      "stages": [
              "durationBeforeAutomaticDenial": "P2D",
              "isApproverJustificationRequired": false,
              "isEscalationEnabled": false,
              "durationBeforeEscalation": "PT0S",
              "primaryApprovers": [
                      "@odata.type": "#microsoft.graph.requestorManager",
                      "managerLevel": 1
              "fallbackPrimaryApprovers": [
                      "@odata.type": "#microsoft.graph.singleUser",
                      "userId": "e6bf4d7d-6824-4dd0-809d-5bf42d4817c2",
                      "description": "user"
              "escalationApprovers": [],
              "fallbackEscalationApprovers": []
  "accessPackage": {
        "id": "49d2c59b-0a81-463d-a8ec-ddad3935d8a0"


Note: The response object shown here might be shortened for readability.

HTTP/1.1 200 OK
Content-Type: application/json

  "id": "87e1c7f7-c7f7-87e1-f7c7-e187f7c7e187",
  "displayName": "All Users",
  "description": "All users can request for access to the directory."